Now I do have S.O.S. configured (and running) on each of my search head cluster members, so do I also need to have S.O.S. installed on the indexers if what I want to have pushed down to the indexer layer from the search head is the _audit and _internal data?#
You don't necessarily need to install the S.O.S. app on the indexers as well. You could just configure the index definition on your indexers yourself. An easier way, of course, would be to deploy the S.O.S. app from the master to the indexers.
For Splunk data itself, there are no additional actions required besides modifying your outputs.conf to forward data to your indexers.
But this
forwardedindex.2.whitelist = (_audit|_internal|_introspection)
will actually only send data from those three indexes.
As a side note, we prefer weighted loadbalancing (I write this because I saw autoLBFrequency = 30 in your outputs.conf, so I assume you're not using weighted LB. Still, this value takes effect with weighted LB). You got quite many settings in your tcpout stanza.
Skalli
Edit: Damn, that other guy tricked me. It's an old thread.
... View more